|
|
|
|
|
|
by smittywerben
502 days ago
|
|
|
What was the body of the HTTP 400? You should log that. Maybe there's a refresh token grace period depending on implementation. I'd sooner be testing in a lab environment recording a pcap file on both sides to try to get the client's TLS session to break before I'd want a client's confidential credential flow sent to me. I don't like to bother people. I've always hated refresh tokens, at least OAuth's design of them. Is sending a client's decrypted MITM logs around really safer? |
|
|